Ben Downton, Principal Security Consultant
4 mins read
Starting at the top, the management board reviews the risk exposure and determines what constitutes an acceptable level of risk to ensure a sustainable and resilient organization. This sets the context for any issues identified during the assessment, and without this input none of the other functions can...well, function.
The management board will require evidence of any high-level organizational issues that mean their view of risk exposure (or even risk appetite) could be misaligned.
Results needed: Evidence of organizational or environmental changes that require an adjustment to policy or risk appetite
The executive committee looks at strategic risk that could threaten long-term objectives. The cxecutive committee therefore needs information that will help define the risk strategy.
A lot of this information, such as threat intelligence and business objectives, is gathered prior to defining the security strategy. Gaps in the approach, or even changes in the threat landscape, will manifest as vulnerabilities identified during the assessment. Following an assessment therefore, the committee will need information about the effectiveness of that strategy and recommendations to cover previously unknown areas of risk.
Results needed: Updates to the strategy required to address 'blind spots'
Management perform analysis and tactical management of risk at an enterprise level, setting compliance objectives and standards that must be met. The assessment must therefore identify where failures in process have led to the presence of vulnerabilities.
If management are provided the correct information, issues can be addressed holistically at the source in a far more efficient manner. An example could be a weakness arising due to a lack of secure coding skills in the development team, requiring training to ensure that future vulnerabilities are not introduced.
Results needed: Mapping of individual issues to process failures or capability gaps
Employees are responsible for risk identification and treatment of risk. This could be indirect (through simply following the policies laid out by the management team) or direct involvement in resolving issues.
In most cases the recommendations from the assessment will be directly consumed by the employees responsible for implementing them - the IT team making system changes or business analysts making process changes. Employees may also require evidence of the assessment as part of an awareness exercise - demonstrating the purpose behind security policies or controls.
Results needed: Technical recommendations and remedial action for individual issues
Internal audit and risk management are primarily concerned with reporting of risks, and so the results of any assessment will need to be quantifiable and fit into any current reporting systems.
The team also needs information on where controls that have been implemented are ineffective, to ensure that the most complete view of risk exposure can be presented to the audit and risk committee.
Results needed: Compliance metrics against internal baselines, and details of any failing controls
The audit and risk committee is responsible for providing assurance that threats are being managed and opportunities are being seized.
The committee will therefore need to know of the threat scenarios that most concern the company, which could be realized. This takes the technical findings and determines whether the issues identified would allow an attacker to achieve a particular objective.
Results needed: Real-world impact, supported by threat intelligence and temporal or environmental information
The value you gain from security assessments can be markedly improved with better input (from your team), and better output (from your appointed assessors). We can see from above that the most valuable result will detail:
With this information, the entire organization can make a reliable and informed decision about how to address security, and ensure that spending is appropriate, proportional and effective. The gold standard for any business.